DDoS Attacks Less Frequent But Pack More Punch: Report
8.8.18 securityweek Attack
There were seven times more distributed denial (DDoS) attacks larger than 300 Gbps (gigabit per second) observed during the first six months of 18 compared to the first half of 2017, NETSCOUT Arbor reveals.
According to the security company’s latest threat intelligence report, the number of large DDoS attacks jumped from 7 to 47 year-over-year in the first half of 18, and the average DDoS attack size grow 174% during that period. The overall frequency of attacks, however, went down 13%.
The overall assault size was driven by novel techniques and has seen an increase of 37% since memcached appeared (memcached amplification fueled a 1.7 Tbps attack earlier this year). Between March and June 18, the number of vulnerable (and accessible) memcached servers dropped from 17,000 to 550.
Although it has been used for reflection/amplification for years, Simple Service Discovery Protocol (SSDP) has received increased attention this year, when it was used to deliver traffic from ephemeral source ports. There are around 33,000 SSDP reflectors that could be abused in attacks, the report reveals (PDF).
The rise of Internet of Things (IoT) devices, most of which lack proper protection, use default credentials and are plagued with both known and unknown software vulnerabilities, is expected to continue to fuel a growth in IoT botnets such as Mirai, which has spawned numerous variants over the past two years.
Attack targets have diversified, with verticals such as finance, gaming, and e-commerce being most likely to be targeted. Telecommunications providers observed the largest number of incidents, and data hosting services were also targeted.
“Today, any organization, for any real or perceived offense or affiliation, can become a target of a DDoS attack,” NETSCOUT Arbor says.
In addition to DDoS attacks, cybercrime and nation-state espionage attacks represent other types of threats posing high risks to organizations and consumers alike.
“Over the past 18 months, internet worms, supply chain attacks, and customer premises equipment (CPE)/IoT compromises have opened up internetscale threat activity. Nation-state APT groups continue to develop globally, used as another means of state-craft and often targeting governments and institutions of geo-strategic relevance,” the report reads.
Targeting newly discovered vulnerabilities in Office, the Iran-based threat actor OilRig has been highly active over the past year. Russian-linked cyber-group Fancy Bear wasn’t dormant either, with the most noteworthy attack recently attributed to it being the VPNFilter malware campaign.
Hidden Cobra, the North Korean threat actor also known as the Lazarus Group, has been observed targeting crypto-currency exchanges, as well as Central and South American banks. Operating out of Vietnam, Ocean Lotus has been actively targeting government and finance sectors over the past year.
The crimeware sector too remains robust and NETSCOUT Arbor expects it to spread beyond its traditional attack methods. There’s an increase in the use of auto-propagation methods, which have already fueled massive malware distribution campaigns such as last year’s WannaCry and NotPetya.
“The hunger for exploitation of new vectors will also continue, as we have seen in the immense DDoS attack impact created by Memcached earlier this year,” NETSCOUT Arbor says.
The security firm also expects an increase in SSDP abuse for internal intrusion, as well as growth in the “use of legitimate software programs by espionage groups and the addition of secondary tactics such as adding crypto-currency mining by crimeware actors.”